How to use video cameras after the implementation of the General Data Protection Regulation?

Written on 20 Jul 2018

The guide issued by the Spanish Data Protection Agency highlights one of the most sensitive issues in terms of data protection: video surveillance. To address this issue, the Agency offers an analysis on the use of video cameras for security purposes as well as cases in which security is not the main purpose, both with the aim of complying with the provisions of the new General Data Protection Regulation.

The Spanish Data Protection Agency ("AEPD"), after the implementation of the General Data Protection Regulation ("GDPR"), which is mandatory since 25 May 2018, has published a new guide that addresses a series of principles and obligations that should be taken into account for images recorded by video cameras. The guide is divided into two parts, offering, on the one hand, guidance on image processing for security purposes and specific circumstances and, on the other hand, image processing for other purposes besides security.

Image processing for security purposes

When using video cameras for security purposes, the public interest is seen as a legitimate basis for recording images given that the objective is to guarantee the security of people, goods, and facilities.
Although, as a general rule, the capture of this type of images must be carried out by the Security and Law Enforcement Authorities, as it is their duty to prevent criminal acts and guarantee safety on public roads, it should be noted that in some circumstances it is necessary to use video cameras to guarantee the safety of private spaces.

The provisions introduced by the GDPR should be taken into account when capturing images for security purposes. Among other aspects included in the aforementioned regulation, the principle of proportionality must be considered, by which in no case may the captured images be used for other purposes besides the originally intended, all while assessing whether or not there are spaces in its installation that may be disproportionate, such as changing rooms, lockers and workers' rest areas.

For the installation of video cameras, special consideration should be given to the IP cameras (or network cameras), as well as to the access control mechanisms that have been enabled, in order to guarantee optimal security conditions.

The data controller must comply, at all times, with the right of information of the affected individuals by including easily visible signs in each of the accesses, that indicate that the recording is taking place, the identity details of the data controller, the possibility of exercising their data protection rights and where to obtain more information about the data recording.

Due to the particularities of video surveillance, the guide introduces new features in terms of data protection rights. Thus, the rights of rectification and portability of the data would not apply and the right of access should be verified with an updated image of the affected subject.

Specific cases of image processing for security purposes

In another paragraph within this first section, the guide goes on to analyse specific cases, as well as the particularities derived from the installation of video cameras in certain public places. In general, the installation of video cameras in such spaces must be authorized by the City Council, prior to a mandatory report, while always taking into account the criteria for proportionality and minimum intervention. The authorization will have a maximum validity of one year.

One of these cases is the celebration of important sporting events, in which the images collected by said devices can only be forwarded to the Security and Law Enforcement Authorities or to competent authorities in case of racist, xenophobic, intolerant and/or violent behaviour. A similar process occurs with financial entities, since they can only send their images to the Security and Law Enforcement Authorities in case a criminal act has occurred, in order to be able to identify the perpetrator(s) of the crime. Unlike the general term of one month of suppression of the images, financial entities must delete the images within a period of fifteen days from their recording, unless the judicial or the Security and Law Enforcement Authorities decide otherwise.

Another case that the guide highlights is the installation of video cameras in homeowners' communities. It is important to note that the installation of the video cameras is subject to approval from the homeowners' meeting, which should conveniently regulate aspects such as the characteristics of the video surveillance system, the number of cameras and the spaces they capture. In any case, only images of common areas in the homeowners' community, whose access is restricted to the people designated by the community, can be captured. The guide emphasizes that the person in charge of such processing needs to inform in a clear and unambiguous manner the existence of the video surveillance zone by including easily visible signs, as already indicated in previous paragraphs.

In academic establishments, and because of the type of public that congregates in these facilities, the installation of video surveillance cameras requires the utmost caution. The guide offers a series of indications in this respect, which highlight the restriction of installing cameras in places that could violate the privacy of those affected individuals (bathrooms, changing rooms, etc.), as well as the restriction to use the recordings of said images for school attendance control purposes.

Processing of images for purposes other than security

The second section highlights those cases in which the video cameras can be used for other purposes not related to security. With the near future in mind, one of the novelties of this guide is the indications that the AEPD makes regarding the drones that carry information-processing systems that involve image recording. Based on Opinion 01/2015, of 16 June 2015, of the Article 29 Working Party, the guide emphasizes the ignorance of the existence of the drone by the affected individuals, since this aircraft is able to record data without being seen. With that in mind, the owner of the drone must take into account, among other aspects, to carry out an impact assessment, inform those affected individuals prior to the recording and establish appropriate safety measures for said processing with the objective of causing the least possible impact on those affected individuals when the use of this type of aircraft is carried out.

Furthermore, the guide mentions the use of "on board" cameras, which have grown in popularity in recent times for use in vehicles or on motorcyclist helmets. The guide distinguishes, among those cases, if the recording is made for domestic use or for obtaining evidence for liability purposes.

In conclusion, the AEPD with this guide seeks to bring the GDPR to everyday situations in which images are recorded by video cameras, pointing out the particularities involved in the installation of these systems in certain spaces, with the aim that all processing carried out is in accordance with the provisions and criteria introduced in the GDPR.